OC ACL

Packages:

  • openconfig-acl.yang
  • openconfig-packet-match-types.yang
  • openconfig-packet-match.yang

Creating an IPv4 ACL Policy with ACE

Creating an IPv4 ACL Policy with ACE
Request:
<rpc xmlns="urn:ietf:params:xml:ns:netconf:base:1.0" message-id="101">
  <edit-config>
    <target>
      <running/>
    </target>
    <config>
      <acl xmlns="http://openconfig.net/yang/acl">
        <acl-sets>
          <acl-set>
            <name>foo</name>
            <type>ACL_IPV4</type>
            <config>
              <name>foo</name>
              <type>ACL_IPV4</type>
            </config>
            <acl-entries>
              <acl-entry>
                <sequence-id>100</sequence-id>
                <config>
                  <sequence-id>100</sequence-id>
                </config>
                <ipv4>
                  <config>
                    <source-address>0.0.0.0/0</source-address>
                    <destination-address>0.0.0.0/0</destination-address>
                    <dscp>0</dscp>
                    <protocol>4</protocol>
                    <hop-limit>5</hop-limit>
                  </config>
                </ipv4>
                <actions>
                  <config>
                    <forwarding-action>ACCEPT</forwarding-action>
                  </config>
                </actions>
              </acl-entry>
            </acl-entries>
          </acl-set>
        </acl-sets>
      </acl>
    </config>
  </edit-config>
</rpc>

Response:
<?xml version="1.0" encoding="UTF-8"?>
<rpc-reply xmlns="urn:ietf:params:xml:ns:netconf:base:1.0" message-id="101">
    <ok/>
</rpc-reply>

Container: Ipv4 ACL – acl/acl-sets

Type: Config Data


CLI Commands

The CLI commands are equivalent to the payload examples displayed in the pane on the right.

ip access-list foo
 100 permit ip any any dscp default ttl 5

Querying an IPv4 ACL Policy

Querying an IPv4 ACL Policy
Request:
<rpc xmlns="urn:ietf:params:xml:ns:netconf:base:1.0" message-id="101">
  <get-config>
    <source>
      <running/>
    </source>
    <filter>
      <acl xmlns="http://openconfig.net/yang/acl">
        <acl-sets>
          <acl-set>
            <name>foo</name>
            <type>ACL_IPV4</type>
          </acl-set>
        </acl-sets>
      </acl>
    </filter>
  </get-config>
</rpc>

Response:
<?xml version="1.0" encoding="UTF-8"?>
<rpc-reply xmlns="urn:ietf:params:xml:ns:netconf:base:1.0" message-id="urn:uuid:4d239666-2f95-4156-ad80-6ff1de8b0599">
    <data>
        <acl xmlns="http://openconfig.net/yang/acl">
            <acl-sets>
                <acl-set>
                    <name>foo</name>
                    <type>ACL_IPV4</type>
                    <acl-entries>
                        <acl-entry>
                            <actions>
                                <config>
                                    <forwarding-action>ACCEPT</forwarding-action>
                                </config>
                            </actions>
                            <config>
                                <sequence-id>100</sequence-id>
                            </config>
                            <ipv4>
                                <config>
                                    <destination-address>0.0.0.0/0</destination-address>
                                    <dscp>0</dscp>
                                    <hop-limit>5</hop-limit>
                                    <protocol>4</protocol>
                                    <source-address>0.0.0.0/0</source-address>
                                </config>
                            </ipv4>
                            <sequence-id>100</sequence-id>
                        </acl-entry>
                    </acl-entries>
                    <config>
                        <name>foo</name>
                        <type>ACL_IPV4</type>
                    </config>
                </acl-set>
            </acl-sets>
        </acl>
    </data>
</rpc-reply>


CLI Commands

The CLI commands are equivalent to the payload examples displayed in the pane on the right.

show run aclmgr

ip access-list foo
 100 permit ip any any dscp default ttl 5

Note: To get the state data along with the config data, use <get> method.

Deleting an IPv4 ACL Policy

Deleting an IPv4 ACL Policy
Request:
<rpc message-id="101" xmlns="urn:ietf:params:xml:ns:netconf:base:1.0">
  <edit-config>
    <target>
      <running/>
    </target>
    <config xmlns:xc="urn:ietf:params:xml:ns:netconf:base:1.0">
      <acl xmlns="http://openconfig.net/yang/acl">
        <acl-sets>
          <acl-set xc:operation="delete">
            <name>foo</name>
            <type>ACL_IPV4</type>
          </acl-set>
        </acl-sets>
      </acl>
    </config>
  </edit-config>
</rpc>

Response:
<?xml version="1.0" encoding="UTF-8"?>
<rpc-reply xmlns="urn:ietf:params:xml:ns:netconf:base:1.0" message-id="101">
    <ok/>
</rpc-reply>


CLI Commands

The CLI commands are equivalent to the payload examples displayed in the pane on the right.

no ip access-list foo

Creating IPv6 ACL policy with ACE

Creating IPv6 ACL policy with ACE
Request:
<rpc xmlns="urn:ietf:params:xml:ns:netconf:base:1.0" message-id="101">
  <edit-config>
    <target>
      <running/>
    </target>
    <config>
      <acl xmlns="http://openconfig.net/yang/acl">
        <acl-sets>
          <acl-set>
            <name>foo6</name>
            <type>ACL_IPV6</type>
            <config>
              <name>foo6</name>
              <type>ACL_IPV6</type>
            </config>
            <acl-entries>
              <acl-entry>
                <sequence-id>200</sequence-id>
                <config>
                  <sequence-id>200</sequence-id>
                </config>
                <ipv6>
                  <config>
                    <source-address>10::10/64</source-address>
                    <destination-address>10::11/64</destination-address>
                    <protocol>IP_TCP</protocol>
                  </config>
                </ipv6>
                <actions>
                  <config>
                    <forwarding-action>DROP</forwarding-action>
                  </config>
                </actions>
              </acl-entry>
            </acl-entries>
          </acl-set>
        </acl-sets>
      </acl>
    </config>
  </edit-config>
</rpc>

Response:
<?xml version="1.0" encoding="UTF-8"?>
<rpc-reply xmlns="urn:ietf:params:xml:ns:netconf:base:1.0" message-id="101">
    <ok/>
</rpc-reply>

Container: Ipv6 ACL – acl/acl-sets

Type: Config Data


CLI Commands

The CLI commands are equivalent to the payload examples displayed in the pane on the right.

ipv6 access-list foo6
 200 deny tcp 10::10/64 10::11/64

Querying an IPv6 ACL Policy

Querying an IPv6 ACL Policy
Request:
<rpc xmlns="urn:ietf:params:xml:ns:netconf:base:1.0" message-id="101">
  <get-config>
    <source>
      <running/>
    </source>
    <filter>
      <acl xmlns="http://openconfig.net/yang/acl">
        <acl-sets>
          <acl-set>
            <name>foo6</name>
            <type>ACL_IPV6</type>
          </acl-set>
        </acl-sets>
      </acl>
    </filter>
  </get-config>
</rpc>

Response:
<?xml version="1.0" encoding="UTF-8"?>
<rpc-reply message-id="101" xmlns="urn:ietf:params:xml:ns:netconf:base:1.0">
<data xmlns="urn:ietf:params:xml:ns:netconf:base:1.0">
        <acl xmlns="http://openconfig.net/yang/acl">
            <acl-sets>
                <acl-set>
                    <name>foo6</name>
                    <acl-entries>
                        <acl-entry>
                            <actions>
                                <config>
                                    <forwarding-action>DROP</forwarding-action>
                                </config>
                            </actions>
                            <config>
                                <sequence-id>200</sequence-id>
                            </config>
                            <ipv6>
                                <config>
                                    <destination-address>10::11/64</destination-address>
                                    <protocol>IP_TCP</protocol>
                                    <source-address>10::10/64</source-address>
                                </config>
                            </ipv6>
                            <sequence-id>200</sequence-id>
                        </acl-entry>
                    </acl-entries>
                    <config>
                        <name>foo6</name>
                        <type>ACL_IPV6</type>
                    </config>
                    <type>ACL_IPV6</type>
                </acl-set>
            </acl-sets>
        </acl>
    </data>
</rpc-reply>


CLI Output

switch# show run aclmgr

ipv6 access-list foo6
 200 deny tcp 10::10/64 10::11/64

Note: To get the state data along with the config data, use <get> method.

Deleting an IPv6 ACL Policy

Deleting an IPv6 ACL Policy
<rpc message-id="101" xmlns="urn:ietf:params:xml:ns:netconf:base:1.0">
  <edit-config>
    <target>
      <running/>
    </target>
    <config xmlns:xc="urn:ietf:params:xml:ns:netconf:base:1.0">
      <acl xmlns="http://openconfig.net/yang/acl">
        <acl-sets>
          <acl-set xc:operation="delete">
            <name>foo6</name>
            <type>ACL_IPV6</type>
          </acl-set>
        </acl-sets>
      </acl>
    </config>
  </edit-config>
</rpc>

Response:
<?xml version="1.0" encoding="UTF-8"?>
  <rpc-reply message-id="101" xmlns="urn:ietf:params:xml:ns:netconf:base:1.0">
    <ok/>
  </rpc-reply>


CLI Commands

The CLI commands are equivalent to the payload examples displayed in the pane on the right.

no ipv6 access-list foo6

Creating a Layer 2/MAC ACL Policy with ACE

Creating a Layer 2/MAC ACL Policy with ACE
Request:
<rpc xmlns="urn:ietf:params:xml:ns:netconf:base:1.0" message-id="101">
  <edit-config>
    <target>
      <running/>
    </target>
    <config>
      <acl xmlns="http://openconfig.net/yang/acl">
        <acl-sets>
          <acl-set>
            <name>fooMac</name>
            <type>ACL_L2</type>
            <config>
              <name>fooMac</name>
              <type>ACL_L2</type>
            </config>
            <acl-entries>
              <acl-entry>
                <sequence-id>10</sequence-id>
                <config>
                  <sequence-id>10</sequence-id>
                </config>
                <l2>
                  <config>
                    <source-mac>00:01:00:02:00:03</source-mac>
                    <source-mac-mask>00:00:00:00:00:00</source-mac-mask>
                    <destination-mac>00:01:00:02:00:02</destination-mac>
                    <destination-mac-mask>00:00:00:00:00:00</destination-mac-mask>
                    <ethertype>0x806</ethertype>
                  </config>
                </l2>
                <actions>
                  <config>
                    <forwarding-action>ACCEPT</forwarding-action>
                  </config>
                </actions>
              </acl-entry>
            </acl-entries>
          </acl-set>
        </acl-sets>
      </acl>
    </config>
  </edit-config>
</rpc>

Response:
<?xml version="1.0" encoding="UTF-8"?>
<rpc-reply xmlns="urn:ietf:params:xml:ns:netconf:base:1.0" message-id="101">
    <ok/>
</rpc-reply>

Container: L2 ACL – acl/acl-sets

Type: Config Data


CLI Commands

The CLI commands are equivalent to the payload examples displayed in the pane on the right.

mac access-list fooMac
 10 permit 0001.0002.0003 0000.0000.0000 0001.0002.0002 0000.0000.0000 0x806

Querying a MAC ACL policy

Querying a MAC ACL Policy
Request:
<rpc xmlns="urn:ietf:params:xml:ns:netconf:base:1.0" message-id="101">
  <get-config>
    <source>
      <running/>
    </source>
    <filter>
      <acl xmlns="http://openconfig.net/yang/acl">
        <acl-sets>
          <acl-set>
            <name>fooMac</name>
            <type>ACL_L2</type>
          </acl-set>
        </acl-sets>
      </acl>
    </filter>
  </get-config>
</rpc>

Response:
<?xml version="1.0" encoding="UTF-8"?>
<rpc-reply xmlns="urn:ietf:params:xml:ns:netconf:base:1.0" message-id="101">
    <data>
        <acl xmlns="http://openconfig.net/yang/acl">
            <acl-sets>
                <acl-set>
                    <name>fooMac</name>
                    <type>ACL_L2</type>
                    <acl-entries>
                        <acl-entry>
                            <actions>
                                <config>
                                    <forwarding-action>ACCEPT</forwarding-action>
                                </config>
                            </actions>
                            <config>
                                <sequence-id>10</sequence-id>
                            </config>
                            <l2>
                              <config>
                                 <destination-mac>00:01:00:02:00:02</destination-mac>
                                 <destination-mac-mask>00:00:00:00:00:00</destination-mac-mask>
                                 <ethertype>ETHERTYPE_ARP</ethertype>
                                 <source-mac>00:01:00:02:00:03</source-mac>
                                 <source-mac-mask>00:00:00:00:00:00</source-mac-mask>
                              </config>
                            </l2>
                            <sequence-id>10</sequence-id>
                        </acl-entry>
                    </acl-entries>
                    <config>
                        <name>fooMac</name>
                        <type>ACL_L2</type>
                    </config>
                </acl-set>
            </acl-sets>
        </acl>
    </data>
</rpc-reply>


CLI Output

switch# show run aclmgr

mac access-list fooMac
 10 permit 0001.0002.0003 0000.0000.0000 0001.0002.0002 0000.0000.0000 0x806

Note: To get the state data along with the config data, use <get> method.

Deleting a MAC ACL Policy

Deleting a MAC ACL Policy
Request:
<rpc message-id="101" xmlns="urn:ietf:params:xml:ns:netconf:base:1.0">
  <edit-config>
    <target>
      <running/>
    </target>
    <config xmlns:xc="urn:ietf:params:xml:ns:netconf:base:1.0">
      <acl xmlns="http://openconfig.net/yang/acl">
        <acl-sets>
          <acl-set xc:operation="delete">
            <name>fooMac</name>
            <type>ACL_L2</type>
          </acl-set>
        </acl-sets>
      </acl>
    </config>
  </edit-config>
</rpc>

Response:
<?xml version="1.0" encoding="UTF-8"?>
<rpc-reply message-id="101" xmlns="urn:ietf:params:xml:ns:netconf:base:1.0">
    <ok/>
</rpc-reply>


CLI Commands

The CLI commands are equivalent to the payload examples displayed in the pane on the right.

no mac access-list fooMac

Applying an IPv4 ACL Policy to a Layer 3 Interface

Applying an IPv4 ACL Policy to a Layer 3 Interface
Request:
<rpc xmlns="urn:ietf:params:xml:ns:netconf:base:1.0" message-id="101">
  <edit-config>
    <target>
      <running/>
    </target>
    <config>
      <acl xmlns="http://openconfig.net/yang/acl">
        <interfaces>
          <interface>
            <id>eth1/2</id>
            <config>
              <id>eth1/2</id>
            </config>
            <interface-ref>
              <config>
                <interface>eth1/2</interface>
              </config>
            </interface-ref>
            <ingress-acl-sets>
              <ingress-acl-set>
                <set-name>foo</set-name>
                <type>ACL_IPV4</type>
                <config>
                  <set-name>foo</set-name>
                  <type>ACL_IPV4</type>
                </config>
              </ingress-acl-set>
            </ingress-acl-sets>
            <egress-acl-sets>
              <egress-acl-set>
                <set-name>foo</set-name>
                <type>ACL_IPV4</type>
                <config>
                  <set-name>foo</set-name>
                  <type>ACL_IPV4</type>
                </config>
              </egress-acl-set>
            </egress-acl-sets>
          </interface>
        </interfaces>
      </acl>
    </config>
  </edit-config>
</rpc>

Response:
<?xml version="1.0" encoding="UTF-8"?>
<rpc-reply xmlns="urn:ietf:params:xml:ns:netconf:base:1.0" message-id="101">
<ok/>
</rpc-reply>

Container: IPv4 RACL - acl/interfaces

Type: Config Data


CLI Commands

The CLI commands are equivalent to the payload examples displayed in the pane on the right.

interface ethernet1/2
 ip access-group foo in
 ip access-group foo out

Querying an IPv4 ACL Policy Applied to an Interface

Querying an IPv4 ACL Policy Applied to an Interface
Request:
<rpc xmlns="urn:ietf:params:xml:ns:netconf:base:1.0" message-id="101">
  <get-config>
    <source>
      <running/>
    </source>
    <filter>
      <acl xmlns="http://openconfig.net/yang/acl">
 <interfaces/>
 </acl>
    </filter>
  </get-config>
</rpc>

Response:
<?xml version="1.0" encoding="UTF-8"?>
</rpc-reply><rpc-reply message-id="101" xmlns="urn:ietf:params:xml:ns:netconf:base:1.0">
    <data>
        <acl xmlns="http://openconfig.net/yang/acl">
            <interfaces>
                <interface>
                    <config>
                        <id>eth1/2</id>
                    </config>
                    <id>eth1/2</id>
                    <egress-acl-sets>
                        <egress-acl-set>
                            <config>
                                <set-name>foo</set-name>
                                <type>ACL_IPV4</type>
                            </config>
                            <set-name>foo</set-name>
                            <type>ACL_IPV4</type>
                        </egress-acl-set>
                    </egress-acl-sets>
                    <ingress-acl-sets>
                        <ingress-acl-set>
                            <config>
                                <set-name>foo</set-name>
                                <type>ACL_IPV4</type>
                            </config>
                            <set-name>foo</set-name>
                            <type>ACL_IPV4</type>
                        </ingress-acl-set>
                    </ingress-acl-sets>
                    <interface-ref>
                        <config>
                            <interface>eth1/2</interface>
                        </config>
                    </interface-ref>
                </interface>
            </interfaces>
        </acl>
    </data>
</rpc-reply>

CLI Output
switch# show ip access-lists foo summary  

IPV4 ACL foo
        Statistics enabled
        Total ACEs Configured: 1
        Configured on interfaces:
                Ethernet1/2 - ingress (Router ACL)
                Ethernet1/2 - egress (Router ACL)
        Active on interfaces:
                Ethernet1/2 - ingress (Router ACL)
                Ethernet1/2 - egress (Router ACL)

Note: To get the state data along with the config data, use <get> method.

Querying Matched Packets Per IPv4 ACE

Querying Matched Packets Per IPv4 ACE
Request:
<rpc xmlns="urn:ietf:params:xml:ns:netconf:base:1.0" message-id="101">
  <get>
    <filter>
      <acl xmlns="http://openconfig.net/yang/acl">
        <acl-sets>
          <acl-set>
            <name>foo</name>
           <type>ACL_IPV4</type>
            <acl-entries>
              <acl-entry>
                <state>
                  <matched-packets/>
                </state>
              </acl-entry>
            </acl-entries>
          </acl-set>
        </acl-sets>
      </acl>
    </filter>
  </get>
</rpc>

Response:
<?xml version="1.0" encoding="UTF-8"?>
<rpc-reply message-id="101" xmlns="urn:ietf:params:xml:ns:netconf:base:1.0">
    <data>
        <acl xmlns="http://openconfig.net/yang/acl">
            <acl-sets>
                <acl-set>
                    <name>foo</name>
                    <type>ACL_IPV4</type>
                    <acl-entries>
                        <acl-entry>
                            <sequence-id>10</sequence-id>
                            <state>
                                <matched-packets>10</matched-packets>
                            </state>
                        </acl-entry>
                    </acl-entries>
                </acl-set>
            </acl-sets>
        </acl>
    </data>
</rpc-reply>

Note: The statistics per-entry should be configured through the CLI for the matched packets to be returned in the following <get> response displayed in the pane on the right.

Type: State Data


CLI Commands

ip access-list foo
 statistics per-entry
 10 deny icmp any any

interface Ethernet1/2
 ip access-group foo in
 ip access-group foo out


CLI Output

The CLI output below is equivalent to the payload example displayed in the pane on the right.

switch# show ip access-lists foo

IP access list foo
  statistics per-entry
  10 deny icmp any any [match=10]

Note: To get the state data along with the config data, use <get> method.

Applying an IPv6 ACL Policy to a Layer 3 Interface

Applying an IPv6 ACL Policy to a Layer 3 Interface
Request:
<rpc xmlns="urn:ietf:params:xml:ns:netconf:base:1.0" message-id="101">
  <edit-config>
    <target>
      <running/>
    </target>
    <config>
      <acl xmlns="http://openconfig.net/yang/acl">
        <interfaces>
          <interface>
            <id>eth1/6</id>
            <config>
              <id>eth1/6</id>
            </config>
            <interface-ref>
              <config>
                <interface>eth1/6</interface>
              </config>
            </interface-ref>
            <ingress-acl-sets>
              <ingress-acl-set>
                <set-name>foo6</set-name>
                <type>ACL_IPV6</type>
                <config>
                  <set-name>foo6</set-name>
                  <type>ACL_IPV6</type>
                </config>
              </ingress-acl-set>
            </ingress-acl-sets>
          </interface>
        </interfaces>
      </acl>
    </config>
  </edit-config>
</rpc>

Response:
<?xml version="1.0" encoding="UTF-8"?>
<rpc-reply xmlns="urn:ietf:params:xml:ns:netconf:base:1.0" message-id="101">
    <ok/>
</rpc-reply>

Container: IPv6 RACL – acl/interfaces

Type: Config Data


CLI Commands

The CLI commands are equivalent to the payload examples displayed in the pane on the right.

interface Ethernet1/6
 ipv6 traffic-filter foo6 in

Querying an IPv6 ACL Policy Applied to an Interface

Querying an IPv6 ACL Policy Applied to an Interface
Request:
<rpc xmlns="urn:ietf:params:xml:ns:netconf:base:1.0" message-id="101">
  <get-config>
    <source>
      <running/>
    </source>
    <filter>
      <acl xmlns="http://openconfig.net/yang/acl">
        <interfaces>
          <interface>
            <id>eth1/6</id>
          </interface>
        </interfaces>
      </acl>
    </filter>
  </get-config>
</rpc>

Response:
<?xml version="1.0" encoding="UTF-8"?>
<rpc-reply message-id="101" xmlns="urn:ietf:params:xml:ns:netconf:base:1.0">
    <data>
        <acl xmlns="http://openconfig.net/yang/acl">
            <interfaces>
                <interface>
                    <id>eth1/6</id>
                    <config>
                        <id>eth1/6</id>
                    </config>
                    <ingress-acl-sets>
                        <ingress-acl-set>
                            <config>
                                <set-name>foo6</set-name>
                                <type>ACL_IPV6</type>
                            </config>
                            <set-name>foo6</set-name>
                            <type>ACL_IPV6</type>
                        </ingress-acl-set>
                    </ingress-acl-sets>
                    <interface-ref>
                        <config>
                            <interface>eth1/6</interface>
                        </config>
                    </interface-ref>
                </interface>
            </interfaces>
        </acl>
    </data>
</rpc-reply>

CLI Output
switch# show ipv6 access-lists foo6 summary 

IPV6 ACL foo6
        Statistics enabled
        Total ACEs Configured: 1
        Configured on interfaces:
                Ethernet1/6 - ingress (Router ACL)
Active on interfaces:
                Ethernet1/6 - ingress (Router ACL)

Note: To get the state data along with the config data, use <get> method.

Querying Matched Packets Per IPv6 ACE

Querying Matched Packets Per IPv6 ACE
Request:
<rpc xmlns="urn:ietf:params:xml:ns:netconf:base:1.0" message-id="101">
  <get>
    <filter>
      <acl xmlns="http://openconfig.net/yang/acl">
        <acl-sets>
          <acl-set>
            <name>foo6</name>
            <type>ACL_IPV6</type>
          </acl-set>
        </acl-sets>
        <interfaces>
          <interface>
            <id>eth1/6</id>
          </interface>
        </interfaces>
      </acl>
    </filter>
  </get>
</rpc>

Response:
<?xml version="1.0" encoding="UTF-8"?>
<rpc-reply message-id="101" xmlns="urn:ietf:params:xml:ns:netconf:base:1.0">
    <data xmlns="urn:ietf:params:xml:ns:netconf:base:1.0">
        <acl xmlns="http://openconfig.net/yang/acl">
            <acl-sets>
                <acl-set>
                    <name>foo6</name>
                    <acl-entries>
                        <acl-entry>
                            <actions>
                                <config>
                                    <forwarding-action>DROP</forwarding-action>
                                </config>
                            </actions>
                            <config>
                                <sequence-id>200</sequence-id>
                            </config>
                            <ipv6>
                                <config>
                                    <destination-address>10::11/64</destination-address>
                                    <protocol>58</protocol>
                                    <source-address>10::10/64</source-address>
                                </config>
                            </ipv6>
                            <sequence-id>200</sequence-id>
                            <state>
                                <matched-packets>10</matched-packets>
                            </state>
                        </acl-entry>
                    </acl-entries>
                    <config>
                        <name>foo6</name>
                        <type>ACL_IPV6</type>
                    </config>
                    <type>ACL_IPV6</type>
                </acl-set>
            </acl-sets>
            <interfaces>
                <interface>
                    <name>eth1/6</name>
                    <id>eth1/6</id>
                    <config>
                        <id>eth1/6</id>
                    </config>
                    <ingress-acl-sets>
                        <ingress-acl-set>
                            <config>
                                <set-name>foo6</set-name>
                                <type>ACL_IPV6</type>
                            </config>
                            <set-name>foo6</set-name>
                            <type>ACL_IPV6</type>
                        </ingress-acl-set>
                    </ingress-acl-sets>
                    <interface-ref>
                        <config>
                            <interface>eth1/6</interface>
                        </config>
                    </interface-ref>
                </interface>
            </interfaces>
        </acl>
</data>
</rpc-reply>

Note: The statistics per-entry should be configured through the CLI for the matched packets to be returned in the following <get> response displayed in the pane on the right.

Type: State Data


CLI Commands

ipv6 access-list foo6
 statistics per-entry
 200 deny icmp 10::10/64 10::11/64

interface Ethernet1/6
 ipv6 traffic-filter foo6 in


CLI Output

The CLI output below is equivalent to the payload example displayed in the pane on the right.

switch# show ipv6 access-lists foo6

IPv6 access list foo6
 statistics per-entry
 200 deny icmp 10::10/64 10::11/64 [match=10]

Note: To get the state data along with the config data, use <get> method.

Applying a MAC ACL Policy to a Layer 2 Interface

Applying a MAC ACL Policy to a Layer 2 Interface
Request:
<rpc xmlns="urn:ietf:params:xml:ns:netconf:base:1.0" message-id="101">
  <edit-config>
    <target>
      <running/>
    </target>
    <config>
      <acl xmlns="http://openconfig.net/yang/acl">
        <interfaces>
          <interface>
            <id>eth1/1</id>
            <config>
              <id>eth1/1</id>
            </config>
            <interface-ref>
              <config>
                <interface>eth1/1</interface>
              </config>
            </interface-ref>
            <ingress-acl-sets>
              <ingress-acl-set>
                <set-name>fooMac</set-name>
                <type>ACL_L2</type>
                <config>
                  <set-name>fooMac</set-name>
                  <type>ACL_L2</type>
                </config>
              </ingress-acl-set>
            </ingress-acl-sets>
          </interface>
        </interfaces>
      </acl>
    </config>
  </edit-config>
</rpc>

Response:
<?xml version="1.0" encoding="UTF-8"?>
<rpc-reply xmlns="urn:ietf:params:xml:ns:netconf:base:1.0" message-id="101">
<ok/>
</rpc-reply>

Container: MAC Port ACL – acl/interfaces

Type: Config Data


CLI Commands

The CLI commands are equivalent to the payload examples displayed in the pane on the right.

interface Ethernet1/1
 mac port access-group fooMac

Querying a MAC ACL Policy Applied to an Interface

Querying a MAC ACL Policy Applied to an Interface
Request:
<rpc xmlns="urn:ietf:params:xml:ns:netconf:base:1.0" message-id="101">
  <get-config>
    <source>
      <running/>
    </source>
    <filter>
      <acl xmlns="http://openconfig.net/yang/acl">
        <interfaces>
          <interface>
            <id>eth1/1</id>
          </interface>
        </interfaces>
      </acl>
    </filter>
  </get-config>
</rpc>

Response:
<?xml version="1.0" encoding="UTF-8"?>
<rpc-reply message-id="101" xmlns="urn:ietf:params:xml:ns:netconf:base:1.0">
    <data>
        <acl xmlns="http://openconfig.net/yang/acl">
            <interfaces>
                <interface>
                    <id>eth1/1</id>
                    <config>
                        <id>eth1/1</id>
                    </config>
                    <ingress-acl-sets>
                        <ingress-acl-set>
                            <config>
                                <set-name>fooMac</set-name>
                                <type>ACL_L2</type>
                            </config>
                            <set-name>fooMac</set-name>
                            <type>ACL_L2</type>
                        </ingress-acl-set>
                    </ingress-acl-sets>
                    <interface-ref>
                        <config>
                            <interface>eth1/1</interface>
                        </config>
                    </interface-ref>
                </interface>
            </interfaces>
        </acl>
    </data>
</rpc-reply>

CLI Output
The CLI commands are equivalent to the payload examples displayed in the pane on the right.

switch#  mac access-lists fooMac summary 

MAC ACL fooMac
        Statistics enabled
        Total ACEs Configured: 1
        Configured on interfaces:
                Ethernet1/1 - ingress (Port ACL)
        Active on interfaces:
                Ethernet1/1 - ingress (Port ACL)

Note: To get the state data along with the config data, use <get> method.

Querying Matched Packets Per MAC ACE

Querying Matched Packets Per MAC ACE
Request:
<rpc xmlns="urn:ietf:params:xml:ns:netconf:base:1.0" message-id="101">
  <get>
    <filter>
      <acl xmlns="http://openconfig.net/yang/acl">
        <acl-sets>
          <acl-set>
            <name>fooMac</name>
            <type>ACL_L2</type>
            <acl-entries>
              <acl-entry>
                <state>
                  <matched-packets/>
                </state>
              </acl-entry>
            </acl-entries>
          </acl-set>
        </acl-sets>
      </acl>
    </filter>
  </get>
</rpc>

Response:
<?xml version="1.0" encoding="UTF-8"?>
<rpc-reply message-id="101" xmlns="urn:ietf:params:xml:ns:netconf:base:1.0">
    <data>
        <acl xmlns="http://openconfig.net/yang/acl">
            <acl-sets>
                <acl-set>
                    <name>fooMac</name>
                    <type>ACL_L2</type>
                    <acl-entries>
                        <acl-entry>
                            <sequence-id>10</sequence-id>
                            <state>
                                <matched-packets>4</matched-packets>
                            </state>
                        </acl-entry>
                    </acl-entries>
                </acl-set>
            </acl-sets>
        </acl>
    </data>
</rpc-reply>

Note: The statistics per-entry should be configured through the CLI for the matched packets to be returned in the following <get> response displayed in the pane on the right.

Type: State Data


CLI Commands

mac access-list fooMac
 statistics per-entry
 10 deny any 380e.4d40.eb7f ffff.ffff.ffff

interface Ethernet1/1
 mac port access-group fooMac


CLI Output

The CLI output below is equivalent to the payload example displayed in the pane on the right.

switch# mac access-lists fooMac

MAC access list fooMac
  statistics per-entry
  10 deny any 380e.4d40.eb7f ffff.ffff.ffff [match=4]

Note: To get the state data along with the config data, use <get> method.

Creating the Combination Payload for the OC ACL Model

Creating the Combination Payload for the OC ACL Model
Request:
<rpc xmlns="urn:ietf:params:xml:ns:netconf:base:1.0" message-id="101">
  <edit-config>
    <target>
      <running/>
    </target>
    <config>
      <acl xmlns="http://openconfig.net/yang/acl">
        <acl-sets>
          <acl-set>
            <name>full-ipv4</name>
            <type>ACL_IPV4</type>
            <config>
              <name>full-ipv4</name>
              <type>ACL_IPV4</type>
            </config>
            <acl-entries>
              <acl-entry>
                <sequence-id>123</sequence-id>
                <config>
                  <sequence-id>123</sequence-id>
                </config>
                <ipv4>
                  <config>
                    <source-address>0.0.0.0/0</source-address>
                    <destination-address>0.0.0.0/0</destination-address>
                    <dscp>25</dscp>
                    <protocol>IP_TCP</protocol>
                    <hop-limit>5</hop-limit>
                  </config>
                </ipv4>
                <transport>
                  <config>
                    <source-port>10</source-port>
                    <destination-port>20</destination-port>
                    <tcp-flags>TCP_ACK</tcp-flags>
                  </config>
                </transport>
                <actions>
                  <config>
                    <forwarding-action>ACCEPT</forwarding-action>
                  </config>
                </actions>
              </acl-entry>
            </acl-entries>
          </acl-set>
         <acl-set>
            <name>full-mac</name>
            <type>ACL_L2</type>
            <config>
              <name>full-mac</name>
              <type>ACL_L2</type>
            </config>
            <acl-entries>
              <acl-entry>
                <sequence-id>1</sequence-id>
                <config>
                  <sequence-id>1</sequence-id>
                </config>
                <l2>
                  <config>
                    <source-mac>01:02:03:04:05:06</source-mac>
                    <source-mac-mask>00:00:00:00:00:00</source-mac-mask>
                    <destination-mac>01:02:03:04:05:07</destination-mac>
                    <destination-mac-mask>FF:FF:FF:FF:FF:FF</destination-mac-mask>
                    <ethertype>ETHERTYPE_ARP</ethertype>
                  </config>
                </l2>
                <actions>
                  <config>
                    <forwarding-action>ACCEPT</forwarding-action>
                  </config>
                </actions>
              </acl-entry>
            </acl-entries>
          </acl-set>
          <acl-set>
            <name>full-ipv6</name>
            <type>ACL_IPV6</type>
            <config>
              <name>full-ipv6</name>
              <type>ACL_IPV6</type>
            </config>
            <acl-entries>
              <acl-entry>
                <sequence-id>12</sequence-id>
                <config>
                  <sequence-id>12</sequence-id>
                </config>
                <ipv6>
                  <config>
                    <source-address>0::0/0</source-address>
                    <destination-address>0::0/0</destination-address>
                    <dscp>23</dscp>
                    <protocol>41</protocol>
                  </config>
                </ipv6>
                <actions>
                  <config>
                    <forwarding-action>DROP</forwarding-action>
                  </config>
                </actions>
              </acl-entry>
            </acl-entries>
          </acl-set>
        </acl-sets>
        <interfaces>
          <interface>
            <id>eth1/31.23</id>
            <config>
              <id>eth1/31.23</id>
            </config>
            <interface-ref>
              <config>
                <interface>eth1/31</interface>
                <subinterface>23</subinterface>
              </config>
            </interface-ref>
            <ingress-acl-sets>
              <ingress-acl-set>
                <set-name>full-ipv6</set-name>
                <type>ACL_IPV6</type>
                <config>
                  <set-name>full-ipv6</set-name>
                  <type>ACL_IPV6</type>
                </config>
              </ingress-acl-set>
            </ingress-acl-sets>
          </interface>
          <interface>
            <id>eth1/31</id>
            <config>
              <id>eth1/31</id>
            </config>
            <interface-ref>
              <config>
                <interface>eth1/31</interface>
              </config>
            </interface-ref>
            <ingress-acl-sets>
              <ingress-acl-set>
                <set-name>full-ipv4</set-name>
                <type>ACL_IPV4</type>
                <config>
                  <set-name>full-ipv4</set-name>
                  <type>ACL_IPV4</type>
                </config>
              </ingress-acl-set>
            </ingress-acl-sets>
            <egress-acl-sets>
              <egress-acl-set>
                <set-name>full-ipv4</set-name>
                <type>ACL_IPV4</type>
                <config>
                  <set-name>full-ipv4</set-name>
                  <type>ACL_IPV4</type>
                </config>
              </egress-acl-set>
            </egress-acl-sets>
          </interface>
          <interface>
            <id>eth1/32</id>
            <config>
              <id>eth1/32</id>
            </config>
            <interface-ref>
              <config>
                <interface>eth1/32</interface>
              </config>
            </interface-ref>
            <ingress-acl-sets>
              <ingress-acl-set>
                <set-name>full-mac</set-name>
                <type>ACL_L2</type>
                <config>
                  <set-name>full-mac</set-name>
                  <type>ACL_L2</type>
                </config>
              </ingress-acl-set>
            </ingress-acl-sets>
          </interface>
        </interfaces>
      </acl>
    </config>
  </edit-config>
</rpc>

Response:
<rpc-reply message-id="101" xmlns="urn:ietf:params:xml:ns:netconf:base:1.0">
    <ok/>
</rpc-reply>

Note: Subinterface Eth1/31.23 should already exist on the device prior to executing the below payload

CLI Output
ip access-list full-ipv4
  123 permit tcp any eq 10 any eq 20 ack dscp 25 ttl 5 
ipv6 access-list full-ipv6
  12 deny ipv6 any any dscp 23 
mac access-list full-mac
  1 permit 0102.0304.0506 0000.0000.0000 0102.0304.0507 ffff.ffff.ffff 0x806 

interface Ethernet1/31
  ip access-group full-ipv4 in
  ip access-group full-ipv4 out

interface Ethernet1/31.23
  ipv6 traffic-filter full-ipv6 in

interface Ethernet1/32
  mac port access-group full-mac
  

Querying a Configuration on the Combination Payload for the OC ACL Model

Querying a Configuration on the Combination Payload for the OC ACL Model
Request:
<rpc xmlns="urn:ietf:params:xml:ns:netconf:base:1.0" message-id="101">
  <get-config>
    <source>
      <running/>
    </source>
    <filter>
      <acl xmlns="http://openconfig.net/yang/acl"/>
    </filter>
  </get-config>
</rpc>

Response:
<rpc-reply message-id="101" xmlns="urn:ietf:params:xml:ns:netconf:base:1.0">
    <data>
        <acl xmlns="http://openconfig.net/yang/acl">
            <interfaces>
                <interface>
                    <config>
                        <id>eth1/31</id>
                    </config>
                    <id>eth1/31</id>
                    <egress-acl-sets>
                        <egress-acl-set>
                            <config>
                                <set-name>full-ipv4</set-name>
                                <type>ACL_IPV4</type>
                            </config>
                            <set-name>full-ipv4</set-name>
                            <type>ACL_IPV4</type>
                        </egress-acl-set>
                    </egress-acl-sets>
                    <ingress-acl-sets>
                        <ingress-acl-set>
                            <config>
                                <set-name>full-ipv4</set-name>
                                <type>ACL_IPV4</type>
                            </config>
                            <set-name>full-ipv4</set-name>
                            <type>ACL_IPV4</type>
                        </ingress-acl-set>
                    </ingress-acl-sets>
                    <interface-ref>
                        <config>
                            <interface>eth1/31</interface>
                        </config>
                    </interface-ref>
                </interface>
                <interface>
                    <config>
                        <id>eth1/31.23</id>
                    </config>
                    <id>eth1/31.23</id>
                    <ingress-acl-sets>
                        <ingress-acl-set>
                            <config>
                                <set-name>full-ipv6</set-name>
                                <type>ACL_IPV6</type>
                            </config>
                            <set-name>full-ipv6</set-name>
                            <type>ACL_IPV6</type>
                        </ingress-acl-set>
                    </ingress-acl-sets>
                    <interface-ref>
                        <config>
                            <interface>eth1/31</interface>
                            <subinterface>23</subinterface>
                        </config>
                    </interface-ref>
                </interface>
                <interface>
                    <config>
                        <id>eth1/32</id>
                    </config>
                    <id>eth1/32</id>
                    <ingress-acl-sets>
                        <ingress-acl-set>
                            <config>
                                <set-name>full-mac</set-name>
                                <type>ACL_L2</type>
                            </config>
                            <set-name>full-mac</set-name>
                            <type>ACL_L2</type>
                        </ingress-acl-set>
                    </ingress-acl-sets>
                    <interface-ref>
                        <config>
                            <interface>eth1/32</interface>
                        </config>
                    </interface-ref>
                </interface>
            </interfaces>
            <acl-sets>
                <acl-set>
                    <acl-entries>
                        <acl-entry>
                            <actions>
                                <config>
                                    <forwarding-action>ACCEPT</forwarding-action>
                                </config>
                            </actions>
                            <config>
                                <sequence-id>123</sequence-id>
                            </config>
                            <ipv4>
                                <config>
                                    <destination-address>0.0.0.0/0</destination-address>
                                    <dscp>25</dscp>
                                    <hop-limit>5</hop-limit>
                                    <protocol>IP_TCP</protocol>
                                    <source-address>0.0.0.0/0</source-address>
                                </config>
                            </ipv4>
                            <sequence-id>123</sequence-id>
                            <transport>
                                <config>
                                    <destination-port>20</destination-port>
                                    <source-port>10</source-port>
                                    <tcp-flags>TCP_ACK</tcp-flags>
                                </config>
                            </transport>
                        </acl-entry>
                    </acl-entries>
                    <config>
                        <name>full-ipv4</name>
                        <type>ACL_IPV4</type>
                    </config>
                    <name>full-ipv4</name>
                    <type>ACL_IPV4</type>
                </acl-set>
                <acl-set>
                    <acl-entries>
                        <acl-entry>
                            <actions>
                                <config>
                                    <forwarding-action>DROP</forwarding-action>
                                </config>
                            </actions>
                            <config>
                                <sequence-id>12</sequence-id>
                            </config>
                            <ipv6>
                                <config>
                                    <destination-address>0::0/0</destination-address>
                                    <dscp>23</dscp>
                                    <protocol>41</protocol>
                                    <source-address>0::0/0</source-address>
                                </config>
                            </ipv6>
                            <sequence-id>12</sequence-id>
                        </acl-entry>
                    </acl-entries>
                    <config>
                        <name>full-ipv6</name>
                        <type>ACL_IPV6</type>
                    </config>
                    <name>full-ipv6</name>
                    <type>ACL_IPV6</type>
                </acl-set>
                <acl-set>
                    <acl-entries>
                        <acl-entry>
                            <actions>
                                <config>
                                    <forwarding-action>ACCEPT</forwarding-action>
                                </config>
                            </actions>
                            <config>
                                <sequence-id>1</sequence-id>
                            </config>
                            <l2>
                                <config>
                                    <destination-mac>01:02:03:04:05:07</destination-mac>
                                    <destination-mac-mask>FF:FF:FF:FF:FF:FF</destination-mac-mask>
                                    <ethertype>ETHERTYPE_ARP</ethertype>
                                    <source-mac>01:02:03:04:05:06</source-mac>
                                    <source-mac-mask>00:00:00:00:00:00</source-mac-mask>
                                </config>
                            </l2>
                            <sequence-id>1</sequence-id>
                        </acl-entry>
                    </acl-entries>
                    <config>
                        <name>full-mac</name>
                        <type>ACL_L2</type>
                    </config>
                    <name>full-mac</name>
                    <type>ACL_L2</type>
                </acl-set>
            </acl-sets>
        </acl>
    </data>
</rpc-reply>

CLI Output
switch# show run aclmgr
ip access-list full-ipv4
  123 permit tcp any eq 10 any eq ftp-data ack dscp 25 ttl 5 
ipv6 access-list full-ipv6
  12 deny ipv6 any any dscp 23 
mac access-list full-mac
  1 permit 0102.0304.0506 0000.0000.0000 0102.0304.0507 ffff.ffff.ffff 0x806 

interface Ethernet1/31
  ip access-group full-ipv4 in
  ip access-group full-ipv4 out

interface Ethernet1/31.23
  ipv6 traffic-filter full-ipv6 in

interface Ethernet1/32
  mac port access-group full-mac

Note: To get the state data along with the config data, use <get> method.

Configuring an IPv4 Access-Control List

Configuring an IPv4 Access-Control List
<rpc message-id="101" xmlns="urn:ietf:params:xml:ns:netconf:base:1.0">
  <edit-config>
    <target>
      <running/>
    </target>
    <config>
      <acl xmlns="http://openconfig.net/yang/acl">
        <acl-sets>
          <acl-set>
            <name>factIpv4</name>
            <type>ACL_IPV4</type>
            <config>
              <name>factIpv4</name>
              <type>ACL_IPV4</type>
            </config>
          </acl-set>
        </acl-sets>
      </acl>
    </config>
  </edit-config>
</rpc>

Note: This example was added in Release 9.3(5).


CLI Commands

The CLI commands are equivalent to the payload examples displayed in the pane on the right.

ip access-list factIpv4

Configuring IPv4 ACE

Configuring IPv4 ACE
<acl xmlns="http://openconfig.net/yang/acl">
    <acl-sets>
      <acl-set>
        <name>factIpv4</name>
        <type>ACL_IPV4</type>
        <config>
          <name>factIpv4</name>
          <type>ACL_IPV4</type>
        </config>
        <acl-entries>
          <acl-entry>
            <sequence-id>1</sequence-id>
            <config>
              <sequence-id>1</sequence-id>
            </config>
            <ipv4>
              <config>
                <source-address>0.0.0.0/0</source-address>
                <destination-address>0.0.0.0/0</destination-address>
                <protocol>4</protocol>
              </config>
            </ipv4>
            <actions>
              <config>
                <forwarding-action>ACCEPT</forwarding-action>
              </config>
            </actions>
          </acl-entry>
        </acl-entries>
      </acl-set>
    </acl-sets>
</acl>

Note: This example was added in Release 9.3(5).


CLI Commands

The CLI commands are equivalent to the payload examples displayed in the pane on the right.

ip access-list factIpv4
1 permit ip any any

Applying IPv4 ACL to an Interface

Applying IPv4 ACL to an Interface
<rpc xmlns="urn:ietf:params:xml:ns:netconf:base:1.0" message-id="101">
  <edit-config>
    <target>
      <running/>
    </target>
    <config>
      <acl xmlns="http://openconfig.net/yang/acl">
        <interfaces>
          <interface>
            <id>eth1/1</id>
            <config>
              <id>eth1/1</id>
            </config>
            <interface-ref>
              <config>
                <interface>eth1/1</interface>
              </config>
            </interface-ref>
            <ingress-acl-sets>
              <ingress-acl-set>
                <set-name>factIpv4</set-name>
                <type>ACL_IPV4</type>
                <config>
                  <set-name>factIpv4</set-name>
                  <type>ACL_IPV4</type>
                </config>
              </ingress-acl-set>
            </ingress-acl-sets>
          </interface>
        </interfaces>
      </acl>
    </config>
  </edit-config>
</rpc>

Note: This example was added in Release 9.3(5).


CLI Commands

The CLI commands are equivalent to the payload examples displayed in the pane on the right.

interface eth1/1
 ip access-group factIpv4 in

Deleting an IPv4 ACL

Deleting an IPv4 ACL
<rpc xmlns="urn:ietf:params:xml:ns:netconf:base:1.0" message-id="101">
  <edit-config>
    <target>
      <running/>
    </target>
    <config>
      <acl xmlns="http://openconfig.net/yang/acl">
        <acl-sets>
          <acl-set xmlns:nc="urn:ietf:params:xml:ns:netconf:base:1.0" nc:operation="delete">
            <name>factIpv4</name>
            <type>ACL_IPV4</type>
          </acl-set>
        </acl-sets>
      </acl>
    </config>
  </edit-config>
</rpc>

Note: This example was added in Release 9.3(5).


CLI Commands

The CLI commands are equivalent to the payload examples displayed in the pane on the right.

no ip access-list factIpv4

Configuring an IPv6 Access-Control List

Configuring an IPv6 Access-Control List
<rpc message-id="101" xmlns="urn:ietf:params:xml:ns:netconf:base:1.0">
  <edit-config>
    <target>
      <running/>
    </target>
    <config>
      <acl xmlns="http://openconfig.net/yang/acl">
        <acl-sets>
          <acl-set>
            <name>factIpv6</name>
            <type>ACL_IPV6</type>
            <config>
              <name>factIpv6</name>
              <type>ACL_IPV6</type>
            </config>
          </acl-set>
        </acl-sets>
      </acl>
    </config>
  </edit-config>
</rpc>

Note: This example was added in Release 9.3(5).


CLI Commands

The CLI commands are equivalent to the payload examples displayed in the pane on the right.

ipv6 access-list factIpv6

Configuring IPv6 ACE

Configuring IPv6 ACE
<rpc xmlns="urn:ietf:params:xml:ns:netconf:base:1.0" message-id="101">
  <edit-config>
    <target>
      <running/>
    </target>
    <config>
      <acl xmlns="http://openconfig.net/yang/acl">
        <acl-sets>
          <acl-set>
            <name>factIpv6</name>
            <type>ACL_IPV6</type>
            <config>
              <name>factIpv6</name>
              <type>ACL_IPV6</type>
            </config>
            <acl-entries>
              <acl-entry>
                <sequence-id>200</sequence-id>
                <config>
                  <sequence-id>200</sequence-id>
                </config>
                <ipv6>
                  <config>
                    <source-address>10::10/64</source-address>
                    <destination-address>10::11/64</destination-address>
                    <protocol>IP_TCP</protocol>
                  </config>
                </ipv6>
                <actions>
                  <config>
                    <forwarding-action>DROP</forwarding-action>
                  </config>
                </actions>
              </acl-entry>
            </acl-entries>
          </acl-set>
        </acl-sets>
      </acl>
    </config>
  </edit-config>
</rpc>

Note: This example was added in Release 9.3(5).


CLI Commands

The CLI commands are equivalent to the payload examples displayed in the pane on the right.

ipv6 access-list factIpv6
200 deny tcp 10::10/64 10::11/64